b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   The Enterprise-Wide Implementation of\n                 Active Directory\xc2\xae Needs Increased Oversight\n\n\n\n                                              May 2006\n\n                              Reference Number: 2006-20-080\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number | 202-927-7037\n Email Address | Bonnie.Heald@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             May 9, 2006\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n FROM:                       Michael R. Philips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Enterprise-Wide Implementation of Active\n                             Directory\xc2\xae Needs Increased Oversight (Audit # 200520010)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) had effectively and securely implemented the Active Directory\xc2\xae-based network and the\n Windows 2003\xc2\xae Server Operating System.\n\n Synopsis\n The IRS is in the process of implementing an Active Directory\xc2\xae-based network and upgrading its\n computers to the Windows 2003\xc2\xae Server Operating System. Active Directory\xc2\xae is the Microsoft\n Corporation\xe2\x80\x99s (Microsoft) latest technology for administering and securing computer networks\n and is a central component of the Windows 2003\xc2\xae Server\n Operating System. Active Directory\xc2\xae manages the identities\n                                                                    The IRS has made significant\n and relationships of computing resources that comprise a                progress in its Active\n network, simplifies system administration, and provides easier                \xc2\xae\n                                                                     Directory implementation;\n methods to strengthen and consistently secure computer            however, increased oversight\n systems. Because the IRS\xe2\x80\x99 previous network operating                is needed to ensure the IRS\n system was divided into obsolete and inefficient boundaries,      achieves all expected benefits,\n                                                                       including more efficient\n expensive to manage, and difficult to consistently secure, the\n                                                                      network  management and\n migration to Active Directory\xc2\xae should result in an upgraded              increased security.\n network that can better meet the IRS\xe2\x80\x99 future needs.\n The IRS has made significant progress in implementing\n Active Directory\xc2\xae. Planning began in Fiscal Year 2000, and the IRS expects to complete the\n migration by December 31, 2006. However, significant risks remain that must be addressed for\n\x0c                        The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                      Needs Increased Oversight\n\n\n\nthe IRS to achieve the benefits of Active Directory\xc2\xae. For example, design standards must be\nenforced. Ideally, all IRS functions could be included within one boundary (called a forest1 in\nActive Directory\xc2\xae). However, managers and system administrators, who play a large role in\nmanaging current domains2 and applications, may be reluctant to participate in the IRS Active\nDirectory\xc2\xae forest since they will likely lose autonomous control over the network components.\nFive Active Directory\xc2\xae forests have already been established, and two IRS organizations have\nstated a need for additional separate forests. Adding unnecessary separate forests will increase\nthe cost of implementing and maintaining Active Directory\xc2\xae and will make maintaining\nconsistent security controls more difficult. Funding must also be provided to replace outdated\ncomputers that cannot support Active Directory\xc2\xae. In addition to the costs of the computers, the\nIRS is paying Microsoft custom support fees to support its outdated operating systems until the\ncomputers are replaced.\nThe Active Directory\xc2\xae Team did not have sufficient authority to finalize Active Directory\xc2\xae\nguidance documents, enforce adherence to design and security standards and industry best\npractices, and ensure the timely and successful migration of Active Directory\xc2\xae IRS-wide. During\nour review, the IRS formed a new project team with executive leadership that can provide the\nlevel of oversight needed to ensure the successful implementation of Active Directory\xc2\xae. Because\nthe new team and leadership are already aware of these implementation issues, we made no\nrecommendations to address these issues.\nWe also found some of the computers that had been migrated into the new Active\nDirectory\xc2\xae-based network did not meet the IRS\xe2\x80\x99 approved security standards. We reviewed a\nsample of 53 servers3 from the 399 that had been migrated to the Active Directory\xc2\xae-based\nnetwork at the time we initiated our review in July 2005. Over 22 percent did not adequately\ncomply with the IRS\xe2\x80\x99 approved security settings, resulting in vulnerabilities that could be\nexploited by hackers and disgruntled employees. In some instances, Active Directory\xc2\xae security\nsettings were changed to what the IRS considered stronger settings or to enable the servers to\nperform a particular role on the network. In both instances, changes were made without\nobtaining concurrence from the Chief, Mission Assurance and Security Services, and approval\nfrom the system owner, as required.\nIn addition, sufficient oversight was not provided over system administrator accounts. These\naccounts need to be carefully controlled because they are the most powerful accounts that exist\non the network and can perform critical tasks that have major effects on the security, operation,\nand performance of the network. We found:\n\n\n\n1\n  The forest is the outermost boundary of Active Directory\xc2\xae.\n2\n  Domains are groups of computers on a network that are administered as a unit with common rules and procedures.\n3\n  Servers are computers that carry out specific functions. For example, file servers store files, print servers manage\nprinters, and network servers manage network traffic.\n                                                                                                                     2\n\x0c                   The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                 Needs Increased Oversight\n\n\n\n   \xe2\x80\xa2   Unnecessary system administrator accounts had been created on 49 percent of the servers\n       we tested. Accounts for these employees should have been created in a central system\n       administrator group to improve the management of the accounts and to improve security.\n   \xe2\x80\xa2   Built-in system administrator accounts were not being adequately safeguarded. System\n       administrators must disguise these powerful accounts to prevent intruders from\n       identifying them. While the IRS\xe2\x80\x99 security standards require these accounts to be renamed\n       to help hide them, the new names did not adequately disguise these accounts on\n       57 percent of the servers we tested. In addition, the nature of these accounts was still\n       readily apparent on all 53 sampled servers because, directly next to the account names,\n       there were descriptions labeling them as built-in system administrator accounts.\n\nRecommendations\nWe recommended the Chief Information Officer develop a formal process for approving\ndeviations from the IRS\xe2\x80\x99 approved security settings for Active Directory\xc2\xae. When deviations are\npreferred or needed, concurrence from the Chief, Mission Assurance and Security Services, and\napproval of the system owner should be requested. We also recommended the Chief Information\nOfficer improve oversight of system administrator accounts during the implementation of Active\nDirectory\xc2\xae. Computers should be periodically reviewed for compliance with requirements.\nProcedures should be enforced and system administrators held accountable for adhering to these\nprocedures.\n\nResponse\nIRS management agreed with our recommendations. Requests for deviations will include the\nrecommendation from the Chief, Mission Assurance and Security Services, and approval from\nthe system owner. The IRS will increase oversight of system administrator accounts and enforce\nprocedures for protecting them. Computers will be periodically monitored and system\nadministrators will be held accountable for complying with procedures. Management\xe2\x80\x99s complete\nresponse to the draft report is included as Appendix IV.\nCopies of this report are also being sent the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                              3\n\x0c                           The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                         Needs Increased Oversight\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Actions Are Needed to Allow Active Directory\xc2\xae\n          to Simplify System Administration ..............................................................Page 3\n          Actions Are Needed to Enable Active Directory\xc2\xae\n          to Strengthen Network Security....................................................................Page 7\n                    Recommendation 1:........................................................Page 10\n\n                    Recommendation 2:........................................................Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 14\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 15\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 16\n\x0c                        The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                      Needs Increased Oversight\n\n\n\n\n                                              Background\n\nIn today\xe2\x80\x99s information technology environment, networked computing is essential for\norganizations to remain effective and efficient. As a result, modern operating systems require a\ndirectory service for managing the identities and relationships of the resources that reside on\nnetworks. A directory service:\n    \xe2\x80\xa2    Stores information about a network\xe2\x80\x99s applications, files, and printers and the people who\n         have access to the network.\n    \xe2\x80\xa2    Provides a consistent way to name, describe, access, manage, and secure information\n         about these resources.\n    \xe2\x80\xa2    Acts as the main switchboard of the network operating system.\nBecause a directory service supplies these fundamental network operating system functions, it\nmust be tightly coupled with the operating system controls to ensure the integrity and privacy of\nthe network.\nThe Internal Revenue Service (IRS) operates a large computer network that includes about\n3,000 servers1 and 110,000 workstations using Windows\xc2\xae operating systems provided by the\nMicrosoft Corporation (Microsoft). Until recently, the IRS network was divided into over\n100 domains2 that were based on obsolete and inefficient organizational boundaries, resulting in\nhigh operating costs and inconsistent security controls. The IRS\xe2\x80\x99 domain structure lacked the\nflexibility, scalability,3 and power needed to support changes in organizational needs.\nIn 2000, the IRS began addressing these concerns by planning the deployment of Active\nDirectory\xc2\xae, Microsoft\xe2\x80\x99s latest technology for administering and securing computer networks. In\naddition to strengthening security, Active Directory\xc2\xae can simplify system administration by\nproviding a single, consistent point to manage users, applications, and devices. It provides users\nwith a single sign-on to network resources and provides system administrators with powerful\ntools to ensure consistent security controls among desktop users, remote dial-up users, and\nexternal e-commerce customers.\n\n\n\n1\n  Servers are computers that carry out specific functions. For example, file servers store files, print servers manage\nprinters, and network servers manage network traffic.\n2\n  Domains are groups of computers on a network that are administered as a unit with common rules and procedures.\n3\n  Scalability is a term that refers to how well a system can adapt to increased demands. A scalable network can start\nwith a few computers and network devices and can easily expand to thousands. Scalability means an organization\nwill not outgrow its system.\n                                                                                                              Page 1\n\x0c                       The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                     Needs Increased Oversight\n\n\n\nActive Directory\xc2\xae is a pervasive technology that affects virtually the entire IRS network. Its\nimplementation is a major undertaking due to the size of the IRS network and the diversity of\nIRS functions it supports. The IRS is currently in the process of upgrading its computers from\nthe Windows NT\xc2\xae operating system to the Windows 2003\xc2\xae Server Operating System and moving\nthem into the Active Directory\xc2\xae-based network. When we initiated this review in July 2005,\nthe migration was still in process and the IRS had moved 399 servers to the new network. The\nIRS expects to move all 110,000 workstations in early 2006 and all 3,000 servers by\nDecember 31, 2006.\nThis review was performed at the Active Directory\xc2\xae Team offices within the Modernization and\nInformation Technology Services organization\xe2\x80\x99s4 End User Equipment and Services\norganization5 in Boston, Massachusetts, and Atlanta, Georgia, during the period July through\nSeptember 2005. The audit was conducted in accordance with Government Auditing Standards.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n\n\n4\n  The Modernization and Information Technology Services organization leads the delivery of IRS information\ntechnology solutions to meet enterprise-wide customer needs by providing information technology systems,\nproducts, services, and support.\n5\n  The End User Equipment and Services organization is a part of the IRS Modernization and Information\nTechnology Services organization and provides end user computer products, services, and support to IRS functions.\n                                                                                                          Page 2\n\x0c                       The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                     Needs Increased Oversight\n\n\n\n\n                                      Results of Review\n\nThe IRS has made significant progress in implementing Active Directory\xc2\xae and is on schedule for\nmigrating user accounts, workstations, and servers into the new network. However, significant\nrisks remain that must be addressed for the IRS to achieve the benefits of Active Directory\xc2\xae,\nspecifically to simplify system administration and strengthen overall security.\n\nActions Are Needed to Allow Active Directory\xc2\xae to Simplify System\nAdministration\nFor the past several years, a team of about 20 members from the End User Equipment and\nServices organization has driven the design and deployment of the Active Directory\xc2\xae-based\nnetwork for most of the IRS. The Active Directory Team developed design documents and\nimplementation plans for the new Active Directory\xc2\xae-based network in accordance with Microsoft\nrecommendations and industry best practices. While the Team has made significant progress, its\nmembers advised, and we confirmed, it did not have the cross-functional authority to ensure all\nIRS entities were working together, including the Modernization and Information Technology\nServices organization, the Office of Mission Assurance and Security Services,6 and the IRS\nbusiness units. The Team did not have the authority to finalize guidance documents, enforce\nadherence to design and security standards, or ensure timely and successful implementation of\nActive Directory\xc2\xae IRS-wide.\nAfter we discussed these concerns with lead members of the Active Directory\xc2\xae Team, the IRS\nformed a new project team with the authority to address Active Directory\xc2\xae design and security\nissues from an enterprise perspective. The new team is led by the Enterprise Services\norganization7 and reports to the Infrastructure Executive Steering Committee.8 We concur with\nthis approach and believe the Steering Committee can provide the executive-level oversight\nneeded to implement Active Directory\xc2\xae. To achieve the full system administration benefits of\nActive Directory\xc2\xae, the Steering Committee will need to enforce design standards and provide\nadequate funding and oversight to keep implementation on schedule. Because the Steering\nCommittee is already aware of these implementation issues, we are making no recommendations\nto address these issues.\n\n\n6\n  The Office of Mission Assurance and Security Services is a service and support organization that assists the IRS\noperating divisions in maintaining secure facilities, technology, and data.\n7\n  The Enterprise Services organization is a part of the Modernization and Information Technology Services\norganization and manages common information technology functions and services performed across the IRS.\n8\n  The Infrastructure Executive Steering Committee oversees the technological infrastructure for building modernized\nsystems.\n                                                                                                           Page 3\n\x0c                     The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                   Needs Increased Oversight\n\n\n\nActive Directory\xc2\xae design standards must be enforced\nThe large and dispersed network used by the IRS often requires time-consuming and redundant\nsystem administration. Active Directory\xc2\xae allows the IRS to significantly lower system\nadministration costs by providing a single place to manage users, groups, and network resources,\nas well as to distribute software and manage desktop configurations. It automatically distributes\nsoftware to users based on the users\xe2\x80\x99 roles, thus reducing or eliminating multiple contacts the\nsystem administrators need to make to employees\xe2\x80\x99 workstations to install and configure\nsoftware.\nActive Directory\xc2\xae uses a hierarchical approach to allow organizations to more easily administer\nthe entire network and to customize administration based on the needs of users. Active\nDirectory\xc2\xae refers to its outermost logical boundary as a forest. A forest is a collection of subsets\nthat share the same Active Directory\xc2\xae configuration and design elements. These subsets are\ncalled domains. Domains are used to manage the various populations of users, computers, and\nother network resources.\nA best practice is to create a large \xe2\x80\x9cproduction domain\xe2\x80\x9d to hold almost all of an organization\xe2\x80\x99s\nusers and computers. A smaller \xe2\x80\x9croot domain\xe2\x80\x9d is created to contain a minimal number of\npowerful administrative accounts and computers. Within domains, smaller subsets called\n\xe2\x80\x9corganizational units\xe2\x80\x9d are used to create administrative groupings of users, computers, and\nprinters that can be uniformly managed. Figure 1 depicts the various levels in the Active\nDirectory\xc2\xae hierarchy.\n\n\n\n\n                                                                                              Page 4\n\x0c                     The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                   Needs Increased Oversight\n\n\n\n            Figure 1: Illustration of a Common Active Directory\xc2\xae Structure\n\n\n\n\n                Source: The Treasury Inspector General for Tax Administration\xe2\x80\x99s depiction\n                based on Microsoft documentation.\n\nIdeally, the IRS could maintain one forest, then use domains and organizational units to group\nobjects that have common system settings based on specific needs of the various IRS functions.\nSeparate forests add overhead and are less efficient because they require the creation and\nmaintenance of additional design elements and security components, whereas adding an entity to\nan existing forest takes advantage of existing design elements and security components.\nThe Active Directory\xc2\xae Team established the main IRS production forest and provided criteria in\naccordance with industry best practices for justifying additional forests. IRS entities requesting a\nseparate forest must have stringent security requirements, such as the maintenance of law\nenforcement data, that require elevated security clearance for system administrators.\nTo date, the IRS has been successful at limiting the number of forests. Most network resources\nare included in a single forest with a root domain and one large production domain.\n\n                                                                                             Page 5\n\x0c                        The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                      Needs Increased Oversight\n\n\n\nAdditional forests have been created for two IRS functions (the Offices of Chief Counsel and\nCriminal Investigation) and one system (the Integrated Submission and Remittance Processing\nSystem9) that need greater security and can justify the need for separate forests. A forest was\nalso created for the Integrated Financial System10 because it was implemented before the IRS\nwas ready to deploy Active Directory\xc2\xae on an enterprise-wide basis. However, this system does\nnot meet the IRS\xe2\x80\x99 criteria for establishing a separate forest; therefore, consideration should be\ngiven to bringing it into the IRS\xe2\x80\x99 main production forest to achieve maximum efficiencies and\nsecurity of IRS operations.\nAs the implementation of Active Directory\xc2\xae continues, we expect other entities will request\nseparate forests. Managers and system administrators who play a large role in managing current\ndomains and applications may be reluctant to participate in the IRS Active Directory\xc2\xae forest\nsince they will likely lose autonomous control over the network components. For example, two\nIRS organizations have stated a need for separate Active Directory\xc2\xae forests in addition to the five\nforests already established. Adding unnecessary separate forests will increase the cost of\nimplementing and maintaining Active Directory\xc2\xae and will make maintaining consistent security\ncontrols more difficult.\n\nFunding must be provided to ensure Active Directory\xc2\xae implementation remains on\nschedule\nThe IRS must also allocate sufficient funds to achieve the benefits of Active Directory\xc2\xae. Most of\nthe advanced security features offered by Active Directory\xc2\xae cannot be implemented until\noutdated computer workstations and servers that cannot support Active Directory\xc2\xae are updated or\nreplaced. Salary costs for upgrading or replacing servers and workstations were approximately\n$5.2 million in Fiscal Year 2005, and an additional $2.4 million is estimated to be spent in Fiscal\nYear 2006. In addition, the IRS must continue to pay Microsoft to support its outdated operating\nsystem. After Microsoft support for the IRS\xe2\x80\x99 current network operating system ended in\nDecember 2004, the IRS paid for custom support so it could continue to receive security patches\ncosting about $318,000 through December 2005. Because computers with the old operating\nsystem are not expected to be upgraded and migrated into Active Directory\xc2\xae until\nDecember 31, 2006, the IRS plans to continue custom support agreements costing $100,000 for\neach 6-month period those computers are operating. Delays in updating or replacing the\noutdated workstations and servers will not only postpone the benefits of Active Directory\xc2\xae but\nalso force the IRS to pay additional support costs for its outdated operating system.\nWe also noted resources and funding for a separate forest to be used as a testing environment had\nnot been sufficient. IRS security standards require testing to be done separately from the\n\n9\n  The Integrated Submission and Remittance Processing System processes paper returns and payments submitted by\ntaxpayers.\n10\n   The Integrated Financial System gives the IRS timely and easier access to accurate and consistent financial data,\nresulting in improved decision making and management.\n                                                                                                            Page 6\n\x0c                     The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                   Needs Increased Oversight\n\n\n\nproduction environment. Because the IRS did not fund a separate testing forest, testing was\nperformed in the production forest and in unauthorized test domains that were not compliant with\nIRS security policies, expensive to maintain, and likely do not represent the production forest.\nAs a result, testing could disrupt the production environment and produce unreliable results.\n\nActions Are Needed to Enable Active Directory\xc2\xae to Strengthen\nNetwork Security\nStrong and consistent security controls are essential to protect the confidentiality, integrity, and\navailability of sensitive taxpayer data maintained on the IRS network. Active Directory\xc2\xae\ncentralizes system administration and enforces role-based access controls that can be applied to\nboth desktop and remote users. To take advantage of Active Directory\xc2\xae capabilities to strengthen\nthe security of the IRS network, the IRS should ensure security settings on servers are enhanced,\nsystem administrator access rights are controlled, system administrator accounts are securely\nmanaged, and built-in system administrator accounts are safeguarded.\n\nServer security settings did not always comply with IRS standards\nThe IRS has standard security settings for many types of computers. Active Directory\xc2\xae provides\nnew techniques for consistently applying these settings. Computers that need to be similarly\nsecured are placed in a group, called an organizational unit. Customized security settings needed\nfor computers in a particular organizational unit are placed into one or more subsets, called group\npolicy objects. Security settings are consistently applied to all the computers by linking the\norganizational unit to the corresponding group policy objects. Any computer subsequently\nadded to the organizational unit should automatically receive the appropriate security settings.\nDeviations from the standard settings must be concurred with by the Chief, Mission Assurance\nand Security Services, and approved by the system owner.\nBecause IRS servers have various roles, the Active Directory\xc2\xae Team created an organizational\nunit for each role. The IRS also created a group policy object containing universal security\nsettings, which are applied to all of its server organizational units, and several specialized group\npolicy objects containing additional settings, which are applied to only specific server\norganizational units.\nIn our sample of 53 servers moved to the Active Directory\xc2\xae-based network, 12 (22.6 percent) did\nnot adequately comply with the IRS\xe2\x80\x99 approved settings. Six servers did not adequately comply\nbecause the organizational unit in which they were located was not linked to a group policy\nobject. The Active Directory\xc2\xae Team deleted this organizational unit from the Active Directory\xc2\xae\nbefore our audit had been completed. Five servers were in organizational units linked to two\ngroup policy objects that did not adequately comply with the IRS\xe2\x80\x99 approved set of security\n\n\n\n                                                                                              Page 7\n\x0c                        The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                      Needs Increased Oversight\n\n\n\nsettings. For example, on the 5 servers, we tested the configurations for 12 user rights11 that we\nconsidered sensitive and found an average of 10 unapproved user rights. Lastly, one server\nfailed to meet standards because it had a high-risk vulnerability, the lack of antivirus protection.\nSome noncompliant settings in group policy objects can be attributed to human error by those\nimplementing the settings. Other noncompliant settings were made because the Active\nDirectory\xc2\xae Team purposely created settings it considered stronger than the IRS\xe2\x80\x99 approved\nsettings or to enable the server to perform a specific function. In both cases, changes to the\nsettings were made without obtaining concurrence from the Chief, Mission Assurance and\nSecurity Services, and approval from the system owner, as required. We also noted written\ninstructions for building and configuring Windows 2003\xc2\xae servers had not been prepared by the\nEnd User Equipment and Services organization before the servers were put into operation.\nThese instructions may have improved the compliance rate of the settings used for the servers.\nThe use of unapproved security settings may create vulnerabilities for hackers or disgruntled\nemployees to exploit. At a minimum, system administrators using unapproved settings diminish\nthe capability of Active Directory\xc2\xae to ensure approved security controls are consistently\nimplemented throughout the IRS network.\n\nSufficient oversight was not provided over system administrator accounts and\naccess rights\nThe IRS requires employees to be provided only the access rights they need to carry out their\nresponsibilities. System administrator accounts are especially powerful. Employees assigned to\nthese accounts can make changes to the directory service, control directory-wide security\nsettings, and install software. We found that, during the transition to Active Directory\xc2\xae, system\nadministrator access was not adequately controlled, unnecessary system administrator accounts\nwere established on servers, and built-in system administrator accounts were not being\nadequately safeguarded.\nSystem administrator access was not adequately controlled. Industry best practices recommend\nkeeping the membership of system administrator groups to the absolute minimum necessary to\nsupport the organization and limiting system administrator rights to only those needed by the\nindividuals in the groups. Prior to implementation of Active Directory\xc2\xae, employees who may\nhave needed only limited system administrator rights to carry out their responsibilities were\nassigned to system administrator groups with full system administrator capabilities because the\nprevious operating system could not customize system administrator groups. For example,\nduring a recent audit we found that employees were given full system administrator rights on\n\n\n\n11\n   User rights are tasks a user is permitted to perform on a computer or network. User rights determine who can\nlog on to a system and the tasks they are permitted to perform. For example, a user can be given the right to change\na system\xe2\x80\x99s time or access a system\xe2\x80\x99s security logs.\n                                                                                                            Page 8\n\x0c                      The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                    Needs Increased Oversight\n\n\n\n34 percent of the computers we tested just to obtain certain needed system administrator rights.12\nActive Directory\xc2\xae offers improved controls by creating system administrator groups whose rights\ncan be customized to the needs of the employees in the groups.\nDuring this review, the IRS began to create system administrator groups whose rights were\ncustomized. For example, a group was created with full system administrator rights, but the\nemployees in the group could access only computers they were assigned to manage. Another\ngroup was created with limited system administrator rights to manage user accounts throughout\nthe domain. The IRS is still developing criteria for granting system administrator access into\nActive Directory\xc2\xae based on the employees\xe2\x80\x99 job roles and determining approval paths for the\nvarious levels of access.\nThe process of reviewing and revising old rights and the establishment of centrally managed\nsystem administrator groups are expected to be a multiyear project and require buy-in from the\nvarious IRS business units. To expedite the implementation of Active Directory\xc2\xae, the IRS\ndecided to use the same access rights (including system administrator rights) from the previous\noperating system regardless of whether the employees still needed all the rights in their groups.\nHowever, the risk of an employee accidentally or inappropriately accessing data or disrupting\ncomputer operations will be elevated until customized system administrator groups are\nestablished that limit users to only the rights they need.\nUnnecessary system administrator accounts were established on servers. The IRS requires\nsystem administrator accounts to be created in centrally managed groups rather than on\nindividual servers. Creating system administrator accounts on servers poses two problems.\nFirst, controls over accounts created on servers may be weaker than controls on accounts created\ncentrally. Accounts on servers are governed by control settings on the servers, whereas accounts\ncreated in centrally controlled groups are governed by group policy objects. Because it is much\nmore difficult to maintain consistent settings on individual servers than in group policy objects,\nthe risk of security weaknesses increases. Second, finding and deleting accounts on servers for\nemployees who change positions or leave the IRS can be a nearly impossible task in a large\nnetwork because each server has to be checked. As a result, accounts that should be deleted may\nbe overlooked and can be targeted for misuse by persons attempting to gain unauthorized access\nto the system. When accounts are created in a centrally controlled group, the group account is\nplaced on the servers the group needs to access. When an employee no longer needs access to\nthe servers, the employee just has to be removed from the central group.\nWe found system administrators had established system administrator accounts on\n26 (49 percent) of the 53 servers we sampled. Sixty-eight system administrator accounts\nbelonging to 27 system administrators had been directly created on these servers. Some of the\naccounts had been needed temporarily, while the servers were being prepared to be migrated into\n\n12\n  Secure Configurations Are Initially Established on Employee Computers, but Enhancements Could Ensure\nSecurity Is Strengthened After Implementation (Reference Number 2006-20-031, dated February 2006).\n                                                                                                     Page 9\n\x0c                    The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                  Needs Increased Oversight\n\n\n\nthe Active Directory\xc2\xae-based network, but were not subsequently removed. Five (18.5 percent) of\nthe 27 system administrators also had duplicate system administrator accounts that had been\ncentrally created. As a result, the risk that system administrator accounts could be misused was\nincreased.\nBuilt-in system administrator accounts are not being adequately safeguarded. Every server is\nprovided a built-in system administrator account named Administrator that was created as part of\nMicrosoft\xe2\x80\x99s design of the operating system. Its purpose is to have an account that can be used if\nproblems prevent system administrators from using their centrally created accounts. To prevent\nunauthorized persons from recognizing and using these accounts, the IRS requires system\nadministrators to rename the accounts.\nOn 30 (57 percent) of the 53 servers we reviewed, system administrators had not sufficiently\ndisguised the built-in accounts. The new names on the 30 servers still allowed these accounts to\nbe identified as regular system administrator accounts. Even if the new names had fully\ndisguised the accounts, the built-in system administrator accounts were readily apparent on\nall 53 sampled servers because, directly next to the account names, there were descriptions\nlabeling them as built-in system administrator accounts. To fully disguise these powerful\naccounts, the descriptions should also be changed. Because these powerful accounts, unlike\nregular system administrator accounts, do not lock up after several unsuccessful attempts are\nmade to guess the password, they could be the target of persons who are attempting to gain\nunauthorized access to the system or disrupt computer operations.\nFor the latter two issues, the Chief Information Officer has not provided sufficient oversight over\nsystem administrators to ensure they comply with procedures and best practices during the\ntransition to Active Directory\xc2\xae. We are confident the Infrastructure Executive Steering\nCommittee will provide the oversight and direction necessary to ensure consistent standards for\nadministrative access are applied as soon as possible.\n\nRecommendations\nThe Chief Information Officer should:\nRecommendation 1: Formalize the approval process for distributing security settings in\nActive Directory\xc2\xae and ensure IRS standards are met. If deviations are suggested, concurrence\nfrom the Chief, Mission Assurance and Security Services, and approval from the system owner\nshould be obtained.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Associate Chief Information Officer, End User Equipment and Services, will formalize\n       the approval process for distributing security settings to Active Directory\xc2\xae using the\n       policies and procedures currently in place for current systems and applications. Requests\n\n\n                                                                                           Page 10\n\x0c                    The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                  Needs Increased Oversight\n\n\n\n       for deviations will include the recommendation from the Chief, Mission Assurance and\n       Security Services, and approval from the system owner.\nRecommendation 2: Increase oversight of system administrator accounts and access rights\nduring the transition to Active Directory\xc2\xae, enforce the IRS procedures that prohibit the creation\nof system administrator accounts on individual servers and require built-in system administrator\naccounts to be properly disguised, and periodically monitor computers for compliance and hold\nsystem administrators accountable for complying with these procedures.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       Associate Chief Information Officer, End User Equipment and Services, will increase\n       and improve oversight of system administrator accounts during the transition to Active\n       Directory\xc2\xae and review employees with Active Directory\xc2\xae system administrator rights.\n       The Associate Chief Information Officer, End User Equipment and Services, will also\n       enforce prohibitions on the system administrator accounts on individual servers, require\n       built-in system administrator accounts to be properly disguised, monitor computers\n       monthly for compliance, and hold system administrators accountable for complying with\n       requirements.\n\n\n\n\n                                                                                          Page 11\n\x0c                          The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                        Needs Increased Oversight\n\n\n\n                                                                                                  Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the Internal Revenue Service\n(IRS) had effectively and securely implemented the Active Directory\xc2\xae-based network and the\nWindows 2003\xc2\xae Server Operating System. To accomplish this objective, we:\nI.         Determined whether the IRS had effectively and securely created and implemented the\n           structural components of Windows 2003\xc2\xae and Active Directory\xc2\xae.\n           A. Evaluated whether the forest,1 domain,2 and other structural components of Active\n              Directory\xc2\xae were created and implemented soundly and securely following industry\n              best practices.\n           B. Reviewed the adequacy of general security controls used to connect to and access\n              Active Directory\xc2\xae.\n           C. Determined whether Active Directory\xc2\xae system administrators had received adequate\n              training.\n           D. Reviewed the progress and status of Active Directory\xc2\xae features the IRS had not yet\n              implemented.\n           E. Reviewed the progress and status of computing resources the IRS had not yet brought\n              into the Active Directory\xc2\xae-based network.\nII.        Determined whether computers residing in the Active Directory\xc2\xae-based network were\n           configured with strong security settings.\n           A. Reviewed the IRS\xe2\x80\x99 security standards to determine whether all computer security\n              controls had been addressed.\n           B. Evaluated the procedures and methods the IRS uses to install security settings onto\n              computers and test computers for compliance with security standards.\n           C. Selected a judgmental sample of 53 servers from the universe of 399 servers the IRS\n              had moved into the Active Directory\xc2\xae-based network when we initiated this review in\n              July 2005. We tested the 53 servers to determine whether strong computer security\n              controls had been implemented through Active Directory\xc2\xae. Since servers with\n              different server roles (for example, file servers, print servers, and domain controller\n\n\n1\n    The forest is the outermost logical boundary of Active Directory\xc2\xae.\n2\n    A domain is a group of computers on a network that are administered as a unit with common rules and procedures.\n                                                                                                          Page 12\n\x0c                          The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                        Needs Increased Oversight\n\n\n\n               servers) have different security configurations, we judgmentally selected about\n               5 servers from each of the 12 server roles. Some server roles had a population of\n               fewer than five servers. Judgmental samples were used because we were not\n               planning to project the results against the entire universe.\n           D. Used the IRS\xe2\x80\x99 configuration-checking computer program to assess the adequacy of\n              computer-based controls on the 53 sampled servers.\n           E. Reviewed the purpose, necessity, and security of groups and accounts that had been\n              created directly on the 53 sampled servers.\nIII.       Determined whether the IRS had effectively used organizational units and group policy\n           objects3 to ensure its computers met computer security standards.\n           A. Reviewed documentation on the IRS\xe2\x80\x99 organizational units and group policy objects.\n           B. Analyzed security weakness identified in the 53 sampled servers and determined\n              whether group policy objects had been correctly configured.\n           C. Assessed the IRS\xe2\x80\x99 plans for continued progress in implementing organizational units\n              and group policy objects.\n\n\n\n\n3\n    Group policy objects contain security settings which are applied to corresponding groups of computers.\n\n\n\n\n                                                                                                             Page 13\n\x0c                   The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                 Needs Increased Oversight\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nGerald Horn, Audit Manager\nMyron Gulley, Acting Audit Manager\nRichard Borst, Senior Auditor\nMary Jankowski, Senior Auditor\nJody Kitazono, Senior Auditor\nStasha Smith, Senior Auditor\n\n\n\n\n                                                                                     Page 14\n\x0c                  The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                                Needs Increased Oversight\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief, Mission Assurance and Security Services OS:MA\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n\n\n\n\n                                                                       Page 15\n\x0c      The Enterprise-Wide Implementation of Active Directory\xc2\xae\n                    Needs Increased Oversight\n\n\n\n                                                    Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 16\n\x0cThe Enterprise-Wide Implementation of Active Directory\xc2\xae\n              Needs Increased Oversight\n\n\n\n\n                                                     Page 17\n\x0cThe Enterprise-Wide Implementation of Active Directory\xc2\xae\n              Needs Increased Oversight\n\n\n\n\n                                                     Page 18\n\x0cThe Enterprise-Wide Implementation of Active Directory\xc2\xae\n              Needs Increased Oversight\n\n\n\n\n                                                     Page 19\n\x0c'